Borresen, John - 0444 - MITLL wrote:
If the userPassword was changed via command-line (such as via the passwd command) the attribute pwdChangedTime does not get updated.
If you really mean 'passwd' then it's entirely a matter of your PAM installation/configuration what it sends.
It is only updated if the userPassword attribute is updated via either the ldapmodify or, in our case, Apache Directory Studio "Edit Value".
Is that how it should work? Of did I miss something else somewhere?
Regarding LDAP the modify operation on 'userPassword' and the LDAP Password Modify Extended Operation (see RFC 3062) will make slapo-ppolicy intercept the request and set 'pwdChangedTime'.
You have to configure whatever PAM client you're using to send appropriate LDAP requests.
Ciao, Michael.